Critical ScreenConnect Flaw Exposes Machine Keys and Enables Session Hijacking
ConnectWise ScreenConnect disclosed a critical vulnerability, CVE-2026-3564 (CVSS 9.0), affecting versions prior to 26.1. The flaw stems from ScreenConnect storing unique per-instance machine keys and related cryptographic material in plaintext server configuration files, creating a path for attackers under certain conditions to extract those keys and abuse them for unauthorized access. The issue is classified as CWE-347: Improper Verification of Cryptographic Signature, and successful exploitation can undermine confidentiality, integrity, and availability in environments that rely on ScreenConnect for remote access.
With the exposed machine keys, an attacker could forge or manipulate session authentication tokens, hijack legitimate sessions, and elevate access without user interaction. ConnectWise rated the issue as high priority, and the Centre for Cybersecurity Belgium urged organizations to patch immediately, monitor for suspicious activity, and treat updates as protection against future exploitation rather than proof that no prior compromise occurred. The vendor states the issue is fixed in version 26.1, making rapid remediation and post-patch review important for on-premises deployments.
Timeline
Mar 18, 2026
National cyber agencies warn users to patch ScreenConnect immediately
On March 18, 2026, government cybersecurity bodies including Belgium's CCB and Canada's Cyber Centre amplified ConnectWise's advisory and urged organizations to review guidance and apply the 26.1 update promptly. Their notices highlighted the severity of the issue for ScreenConnect deployments prior to version 26.1.
Mar 17, 2026
ConnectWise discloses critical ScreenConnect flaw CVE-2026-3564
On March 17, 2026, ConnectWise disclosed a critical vulnerability in ScreenConnect affecting all versions prior to 26.1 that could let attackers extract or abuse ASP.NET machine keys, hijack session authentication, gain unauthorized access, and escalate privileges. The company urged on-premises customers to treat remediation as urgent and said it had no evidence of active exploitation of this specific CVE.
Mar 17, 2026
ConnectWise releases ScreenConnect 26.1 security hardening bulletin
ConnectWise published a security bulletin for ScreenConnect 26.1 security hardening, addressing a critical flaw later tracked as CVE-2026-3564. The update introduced stronger machine key protections, including encrypted storage and improved key management, and cloud-hosted instances were already mitigated.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
2 more from sources like belgium ccb security advisories and connectwise.com
Related Stories
Critical ScreenConnect Vulnerability Allows Configuration Data Exposure and Untrusted Extension Installation
ConnectWise released a security update for ScreenConnect to address a critical vulnerability, tracked as CVE-2025-14265, which affects the server component of the remote access platform. The flaw, caused by improper code integrity validation during extension installations (CWE-494), could allow attackers with authorized or administrative access to expose sensitive configuration data and install untrusted extensions. The vulnerability carries a CVSS 3.1 base score of 9.1, highlighting its severity, though ConnectWise reports no evidence of active exploitation at this time. The issue impacts all ScreenConnect versions prior to 25.8, and the 25.8 patch enforces stricter server-side validation and integrity checks for extension installations. ConnectWise has automatically applied updates to cloud-hosted ScreenConnect instances, while on-premises users must manually upgrade to version 25.8. Partners using Automate integration are advised to update their Automate ScreenConnect Extension before upgrading ScreenConnect itself. Security advisories from both ConnectWise and the Canadian Centre for Cyber Security urge organizations to prioritize patching to prevent potential unauthorized access and maintain secure remote management environments. The vulnerability is rated as Priority 2 – Moderate, with a recommended update window of 30 days, but immediate action is encouraged due to the risk of sensitive data exposure.
1 months ago
ConnectWise Automate Vulnerabilities Allowing Fake Updates and Unencrypted Communications
ConnectWise Automate, a widely used IT management platform, was found to contain two critical vulnerabilities, CVE-2025-11492 and CVE-2025-11493, which were addressed in the security update for version 2025.9. The first vulnerability, CVE-2025-11492, is rated with a CVSS score of 9.6 and arises from agents transmitting data without encryption when configured to use HTTP instead of HTTPS. This flaw allows attackers with network access to intercept or modify unencrypted communications, potentially exposing sensitive credentials or commands. The second vulnerability, CVE-2025-11493, with a CVSS score of 8.8, is due to missing integrity verification during the update process. This could enable attackers to inject malicious or tampered update files that appear legitimate, leading to unauthorized code execution on managed systems. Both vulnerabilities primarily affect on-premises deployments of ConnectWise Automate running versions prior to 2025.9. ConnectWise published a security advisory on October 16, 2025, urging customers to update to version 2025.9 to mitigate these risks. The Canadian Centre for Cyber Security also issued an alert, recommending that users and administrators review the advisories and apply the necessary updates immediately. The flaws highlight the risks associated with improper use of unsecured communication protocols and the lack of integrity checks in software update mechanisms. Organizations hosting on-premises Automate servers are particularly at risk if they have not yet applied the latest security fixes. The vulnerabilities could be exploited by attackers already present within the network, emphasizing the importance of internal network security and monitoring. The exposure of credentials or the ability to execute unauthorized code could lead to further compromise of managed endpoints. Security experts recommend that organizations not only update their ConnectWise Automate installations but also review their network configurations to ensure encrypted communications are enforced. The advisories stress the urgency of patching, as threat actors may attempt to weaponize these vulnerabilities quickly. The incident underscores the broader need for robust security practices in IT management platforms, which are often high-value targets for attackers. ConnectWise has provided detailed guidance and links to the latest advisories to assist customers in remediation. The vulnerabilities serve as a reminder of the importance of secure software development and regular security assessments for critical infrastructure tools. Organizations are advised to monitor for signs of exploitation and to implement additional controls where possible to mitigate the risk of similar vulnerabilities in the future.
1 months ago
CISA KEV Adds Marimo RCE, ScreenConnect Path Traversal, and Windows Spoofing Flaws
CISA updated its Known Exploited Vulnerabilities catalog to add three vulnerabilities now tracked as actively exploited: **CVE-2026-39987** in Marimo, **CVE-2024-1708** in ConnectWise ScreenConnect, and **CVE-2026-32202** in Microsoft Windows. The Marimo issue was added in a catalog update that raised the total count to 1,579 entries, while a later update increased the catalog to 1,585 entries and included the ScreenConnect and Windows flaws. CISA described **CVE-2026-39987** as an unauthenticated remote code execution vulnerability that can provide shell access and allow arbitrary system command execution before authorization, mapped to `CWE-306`. **CVE-2024-1708** was listed as a ScreenConnect path traversal flaw that could enable remote code execution or directly affect confidential data and critical systems, and **CVE-2026-32202** was identified as a Windows Shell protection mechanism failure that allows network spoofing by an unauthorized attacker. CISA directed organizations to apply vendor mitigations, follow **BOD 22-01** guidance for cloud services, or discontinue use if mitigations are unavailable; remediation deadlines were set for **2026-05-07** for Marimo and **2026-05-12** for the ScreenConnect and Windows entries.
4 days ago